Poorly secured Microsoft SQL servers in the US, EU, and LATAM are being attacked by financially motivated Turkish threat actors in an ongoing campaign to deliver MIMIC ransomware payloads, according to a Securonix research.
The financial cyberthreat campaign named RE#TURGENCE gains initial access into victim systems by targeting and exploiting insecurely configured MSSQL database servers, an infection technique observed earlier this year with the DB#JAMMER campaign that subsequently delivered Cobalt Strike and FreeWorld ransomware.
âThe analyzed threat campaign appears to end in one of two ways, either the selling of âaccessâ to the compromised host, or the ultimate delivery of ransomware payloads,â Securonix said in a blog post. âThe timeline for the events was about one month from initial access to the deployment of MIMIC ransomware on the victim domain.â
Securonix was able to uncover the details of the campaign due to a major OPSEC failure by the attackers. âAs the attack unfolded, we were able to monitor the attackers and the system they were using closely through their own Remote Monitoring and Management (RMM) software,â Securonix added.
Initial access through brute force
The RE#TURGENCE threat activities Securomix was tracking initially had the threat actors brute force their way into the victim MSSQL server and exploit the xp_cmdshell procedure, which allows execution of operating system commands from within the SQL server.
âTypically, this procedure is disabled by default and should not be enabled, especially on publicly exposed servers,â Securonix said.
The attackers then used this ability to execute commands on the host system to execute a Powershell command that downloaded a semi-obfuscated file for a secondary download that contained a heavily obfuscated Cobalt Strike payload. The obfuscation was majorly done through hundreds of lines of combined variables and useless comment blocks, the post added.
Cobalt Strike is a commercial penetration testing tool, which gives security testers access to a large variety of attack capabilities. The tool is capable of generating remote agents known as beacons that can be deployed to achieve remote code execution (RCE) on the target system once initial access has been gained.
â(In this case), the Cobalt Strike beacon was configured to inject into the Windows-native process SndVol.exe,â Securonix said. âThis process handles volume controls and settings for the system.â
Using Cobalt Strike for final payload
The attacker eventually shifted to using Cobalt Strike as the main point of code execution and downloaded Anydesk binaries to install Anydesk and add a new local user with administrator controls. This further enabled the attackers to download Mimikatz, a Windows exploit to extract passwords stored in memory, on the host system.
This was followed with a few steps to establish persistence in the host system. âThe threat actors then shifted gears and decided to get to know the network and domain a bit better,â Securonix added.
Finally, the attackers used compromised Anydesk administrator controls to download a self-extracting archive that ran red.exe dropper, the final Mimic ransomware payload.
Securonix has advised users to refrain from exposing critical servers directly to the internet and use a VPN instead to allow access to these resources. Additionally, limiting the usage of xp_cmdshell procedure on MSSQL servers, deploying process-level logging such as PowerShell logging, and monitoring the creation of new users on endpoints can be a few useful ways to protect against such intrusion.